The 2021 Verizon Data Breach Investigates Report is out and, once again, it highlights a couple of significant breach causes that a proper identity infrastructure should help mitigate. I’ll highlight those two items below along with some commentary.
“Credentials remain one of the most sought-after data types.”
“Finally, we were also curious what kind of data was the fastest to be compromised, and that turns out to be Credentials. This is particularly the case in Phishing, which typically goes after the victim’s credentials for use in gaining further access to their chosen victim organization.”
This should be no surprise to any of us. Obtain a credential, access a system, look for a privileged account, and start doing bad things. According to the report, about 25% of breaches start with a stolen credential; some of those credentials are stolen through phishing e-mails.
Another significant breach cause highlighted in the report is the misuse of privileges. And, while not drawn out in the report, most of us should know that a hacker is most interested in obtaining one or more privileged accounts once they get in your systems. Ipso facto, once they have a privileged account, they are going to abuse it.
“This pattern is an uncomfortable one – that is where the people we trust betray us. Privilege Misuse is our colleagues deciding (for a number of reasons) to take their access and use it to pilfer data they are not authorized to take or use it in ways they really shouldn’t.”
What should we be doing to help ourselves?
Protecting credentials is a challenge. With phishing, you must rely on your employees to understand that they shouldn’t click on links in e-mails or open attachments unless they are 100% sure of the origin and trustworthiness of any attachment. Fortunately, there are some products that can help. There are firewall and other vendors who specialize in “sandbox” products that basically will analyze e-mails, including their attachments, and execute or open those attachments outside your company in a sandbox. These technologies have been in existence for some time now, and, as I mentioned, many firewall vendors include this capability. There is also some new technology called Remote Browser Isolation (RBI). RBI tools render website content in virtual browsers sealed in containers, in the cloud. By isolating website content and seamlessly streaming that content to the users’ regular web browsers, you can safeguard your networks from malware hidden on websites – even advanced zero-day ransomware.
Privileged account management (PAM) products are commonly used to protect privileged accounts. While I was at Quest Software, we acquired e-DMZ Software in 2011 for their PAM product. So, for more than a decade, PAM products have existed. The PAM products can protect privileged account credentials, and some of them can record what a privileged account is being used for (aka “session management”). Even if such abuse is happening by a trusted individual with session management, at least you can verify what your trusted employees are doing with those privileged accounts. If your company is not using a PAM product or doesn’t have a PAM strategy, then it is hard to see how you are going to prevent privilege misuse.
Whether it’s privileged accounts, or a non-privileged account or credential, your first line of defense is your identity infrastructure. It seems self-evident that most companies already have solutions for identity and access management (IAM), or identity governance and administration (IGA). These tools form the “meat and potatoes” identity products of most enterprises.
So, what’s missing?
A lot of the “meat and potatoes tools” that are being used today are legacy products that have been around for many years. These legacy tools haven’t incorporated new technologies like machine learning (ML), for example. With ML, it is possible to understand, over time, what users’ normal logon and logoff time frames are, how much content they upload or download, how often they might use a privileged account, how many times privileged accounts are being used, and more. Identity is key to security. It’s important that new technologies, like ML, find their way into today’s modern identity products. That’s one reason why we are doing a lot of research in the ML space. Threats have become so sophisticated that legacy “meat and potatoes” products are not sufficient to protect us.
Another problem that is surfacing is that we have too many identity silos. In many enterprises, separate tools from separate vendors are used to manage privileged accounts, manage access (SSO), identities (IAM), and governance (IGA). The data of each of these products is stored separately. However, if this data was stored in the same place, it would be easier to tell stories from this data. For example, when someone wants to access a system and they are a privileged user, perhaps that transaction is more risky and multi-factor authentication should be used. Or, when a user is added to a group that gives them elevated privileges, perhaps the manager of those privileges and the manager of that user should approve. With separate silos, it’s almost a self-fulfilling prophecy that integrated data stories are not being considered. This is especially true when the silos are maintained and operated by different groups within a company.
This is exactly the reason why we have built Clear Skye on top of ServiceNow.
Each ServiceNow instance has its own database that is used to store data in tables. While each application has its specific set of tables and columns, some tables, like users and tasks, are shared by many different applications. All records stored in tables enable a single system of records that correlates all business services and processes throughout the enterprise. This makes it easier for us to signal risk to ServiceNow’s Integrated Risk Management (IRM) or Security Operations (SecOps) modules. And likewise, it allows us to act on the shared data inside the IRM, SecOps, Human Resources (HR) or any other ServiceNow module.
Identity is security and we, at Clear Skye, believe that breaking down the silos of identity data and leveraging new technologies, like machine learning, will ultimately allow us all to sleep better at night.